GDPR – maintaining compliance and Brexit

In our final blog, GDPR – One Year On,Alice Turleyexamines the impact of the GDPR maintaining compliance with the Regulation, and the effect of Brexit on the Regulation.

Key messages from the DPC

The Association of Compliance Officers in Irelandheld a conference on 31 March 2019 focusing on data breach notifications and risk assessments. Among those speaking was Niall Cavanagh, Assistant Commissioner atthe DPC (Data Protection Commission),who gavea number of top tips organisations can follow to comply with the GDPR.

✔️ Report breaches on time

Cavanagh advised that organisations are generally slow to report data breaches, with many under–reporting their breach numbers.

Other firms are batching the notifications, which is no longer permitted, or waiting the maximum 72hoursto contact the DPC. Cavanagh emphasised that if there is any risk to the rights and freedoms of individuals, the breach must be reported.

✔️ Contact data subjects without undue delay

The data subject must be informed without undue delay of any breach thatcould pose a high risk to their rights and freedoms.

✔️ Have a breach playbook

Cavanagh suggested that the controller should have a “breach playbook”thatwould clearly describe what steps should be taken, who should be contacted, what communications should be issued, etc.

✔️ Train employees

All staff should be trained on the breach playbook, so that in times of minimum business cover, such as holiday seasons, they know what to do if there is a data breach. It’s also important that staff know how to identify breaches; while most employeeswould know what a phishing email looks like, how many would recognise or know what to do abouta ransomware attack?

Cavanagh also advised organisations to plan and test theirresponse steps, including dry runs to ensurestaff know how and who to reportissues to and what actions to take to deal with the incident.

✔️ Retain records

Lastly, Cavanagh underlinedthe importance of retaining records – logs, records of processing, breach records, etc. – so that the DPC knows how you handled an incident.

Make sure records are backed up so that breaches can be thoroughly investigated. These all go toward meeting your accountability obligations under Article 5 (2) of the GDPR, which require you to demonstrate your compliance with the six data protection principles.

GDPR fines and compensation

We’ve looked at what has happened since 25 May 2018 and while there have not been any GDPR–related fines from the DPC yet, we can expect to see themstart later in the summer.

One aspect of the GDPR that has not yet been properly addressed is how much compensation should be awarded to victims. Before the Regulationcame into force, compensation for individuals who hadsuffered a data breach was not usually very high. As such, data protection claims were generallya bolt–on to other claims in the courts for breaches of confidence, defamation or misuse of private information.

However, it is anticipated that the amount of compensation paid out to victims of data breaches under the GDPR will gradually increase, just as they have in misuse of private information claims.

With the threat of increased claims and higher compensation payouts on the horizon, maintaining compliance with theGDPR is more important than ever.

Maintaining GDPR compliance

Organisations should monitor their data protection compliance at least annually.

In Ireland, organisations must comply not only with the GDPR but also theData Protection Act 2018, which came into force on 25 May 2018, the same day as the Regulation. This is on top of any codes of practice relevant to your industry.

There is also the ePrivacy Regulation (ePR), which is due to come into force shortly.Similar to the GDPR,it will have a two-year implementation timeframe.

The reality of the GDPR

While many organisations have taken steps to create the documentation required by the GDPR,the reality is that many offer little operational guidance on who needs to do what when a breach occurs. It is vital that controllers with online breach notification forms and know what to do when an incident occurs.

The DPC form requests a lot of information about the controller and its business in addition to information aboutthe breach. Ensure that your organisation isn’t looking at the form for the first time while the 72-hour clock is ticking down. Time is of the essence, and you need to be prepared.

Train your staff

According to the EU Commission, regulators have received more than 144,000 complaints since 25 May 2018. The overwhelming reason for these complaints was the failure of controllers to appropriately respond to DSARs (data subject access requests)

Organisations have one month to respond to a request, and the clock starts tickingas soon asthe requestis received.All employees should be able to recognise when somebody is requesting their personal data, whether over the phone, via email, by post or even in person, and what steps need to be taken, who needs to be informed, what records shouldbe redacted, etc.

Organisational measures

Organisational measures, on the other hand, are the arrangements put in place with the use of processes, procedures and policies, such as password policies, mobile device policies, staff training and awareness programmes, etc.

It’s important that your risk methodology can assess whether your data breach is low–, medium– or high–risk. While all data breaches must be reported to the DPC, only risks to the rights of individuals will need to be notified to the data subjects themselves.

Appropriate measures

Organisations should take a risk-based approach, assessing their processing of personal data activities and any processing activities that are likely to result in a high risk to the rights of individuals, and implement controls to mitigate the risk. This includes putting appropriate technical and organisational measures in place. Technical measures include using firewalls, segregating networks, using encryption, anonymising where possible, running vulnerability scans and conducting penetration tests.

How will Brexit affect the GDPR?

As many are aware, the Brexitdeadline has been moved to 31 October 2019, and there is the very real possibility of the UK leaving the EU without a withdrawal agreement or deal in place.

Should this happen, the UK will become a third country. A third country is any country or territory outside the EEC, and while data transfers to a third county can happen, this is only if the third country is deemed to have an adequate level of data protection. This is a detailed process that must be completed with the European Commission and can take months to years. The UK can only apply to become an adequate country when it has exited the EU. Any organisations from third countries without an adequacy decision must adopt appropriate safeguards to transfer data from an EEC country to a third country. There are several appropriate safeguards, including:

Binding corporate rules;

Certification mechanisms; and

SCCs (standard contractual clauses).

The DPC recommends that any Irish organisationintending to transfer personal data to the UK post–Brexit puts in place specific safeguards to protect the data being transferred, and recommends the use of SCCs.

These are pre–drafted contracts areavailable on the EEC’s website. Once the clauses are not amended within the contracts, the agreements will stand and are binding.

Keep up to date with the latest GDPR news

You can also sign up toourweekly newsletter. These free emails will keep you up to date with breaches, fines anddata privacy legislation.

This is an excerpt from Alice Turley’s webinar ‘GDPR – One Year On’. To view the full webinar, click here.

Alice is a qualified data protection, compliance and insurance professional, consultant and trainer. She is highly experienced in data protection, consumer protection and compliance, providing expert and solution-based advice to organisations within the insurance, advertising and education industries.